By Daminda Perera
The proposed framework would monitor the network traffic in details to analyze and classify the data connections to carry out the network vulnerability assessment of the hosts/networks.
Problem:
Due to the dynamic nature of the traffic characteristics, ever-changing network environment, the network vulnerability assessment has been proven to be complex, erroneous, costly and inefficient for many large-networked organizations.
This framework will compose a set of techniques and algorithms to assess the network vulnerabilities with the help of data mining techniques.
One of the main problems that to be addressed that how much the network vulnerability assessments are useful, up-to-dated, well-organized or efficient to reflect the current characteristics of network traffics.
Objective:
The main objective is to prepare a set of techniques and algorithms to analysis and assess the network vulnerabilities.
(1) Data mining technique to deduce network vulnerabilities by mining its network traffic log based on its frequency and the behaviors,
(2) A technique to identify the dominant vulnerabilities and any decaying vulnerabilities with the time
The secondary objective is to prepare a portable network vulnerability analyzer, which can be used to monitor/analyze vulnerabilities of the network traffic generated by networks/network nodes. This device is supposed to be connected to the network port of the computer/PC without changing the clients network topology configurations. The proposed toolkit may be able to sit between the LAN and the LAN's exit point, generally the WAN or Internet router, and all packets leaving and entering the network would go through them. In most cases the toolkit would operate as a bridge on the network so that it is undetectable by users.
Deliverables
1. A set of techniques and algorithms to deduce network vulnerabilities by mining its network traffic log based on its frequency and the behaviors.
2. A new software toolkit to analyze the network traffic for troubleshooting purposes while detecting unwanted traffic like worm/virus traffic etc. A portable toolkit that is capable to analyze and troubleshoot the problems may cause due to worm/virus attacks/intrusion attacks.
3. A detail study of the existing/common network traffic analysis and classification techniques.
Methodology
Various software tools are available to measure network traffic. Some tools measure traffic by sniffing and others use SNMP like methods to measure bandwidth use on servers and routers etc. However, for certain vulnerability assessment work may need to analyze the traffic in detail. Since it is required to position a traffic analyzer in different locations in the network to carry out the network vulnerability detections. So it is necessary to place a device with proper software toolkits, which doesn’t disturb the network topology and should be able to setup fairly fast.
Further, the packet sniffers are very useful for network experts tracking down tricky problems. But the volume of information they generate is enormous. A fast broadband connection can transmit thousands or millions of packets per second, and inspecting each one in detail is unlikely to help you make your network faster. In addition, understanding the output of these analyzers requires a detailed understanding of network protocols such as TCP/IP and HTTP. A protocol level broad overview would be useful, at least as a starting point for tracking down the network vulnerabilities of their networks.
In the research, I would like to introduce a new technique to the process of network vulnerability assessment using data mining techniques which consisting of anomaly detection, generalization and rules for data mining using frequency-based techniques. The steps are in summary, (1) to provide a capacity to reflect current trend of network traffic and thus to assess the network vulnerabilities if it contains in real time from traffic log data files, (2) to provide a tool to analyze its traffic patterns for the further analysis and anomaly detection including those hidden vulnerabilities, and for the decision making, (3) to apply various data mining techniques to handle both discrete and continuous attributes with operational efficiency and flexibility, and (4) to demonstrate the merit of data mining based algorithms not only feasible but also more accurate and effective (as traffic log dataset gets larger in size and variation in projection).
The anomaly detection based on the mining exposes many hidden vulnerabilities, not only those types of the anomalies detectable by analyzing the traffic logs for a long time periods but also those anomalies not detectable by analyzing the traffic logs for short periods. As a result, this analysis may conclude new types of the anomalies in the networks.
In conclusion, the data mining will be shown as one of the viable options but also a practical, effective and critical approach in network vulnerability assessment in the real time.
References
1. TANDI: Threat Assessment of Network Data and Information
By Jared Holsopple, Shanchieh Jay Yang, and Moises Sudit
2. A Graph-Based System for Network-Vulnerability Analysis
By Cynthia Phillips, Laura Painton Swiler
3. Scalable, Graph-Based Network Vulnerability Analysis∗
By Paul Ammann, Duminda Wijesekera, Saket Kaushik
4. Managing a Network Vulnerability Assessment
By Thomas R. Peltier, Justin Peltier and John A. Blackley
ISBN:0849312701
Auerbach Publications 2003
5. Network vulnerability assessment using Bayesian networks
By Yu Liu, Hong Man
6. Worm Traffic Analysis and Characterization
By Dainotti A, Pescap A, Ventre G.
Univ. of Napoli Federico II, Naples
